Return 401 if authentication is not provided

[sadiqkhoja]

Prerequisite for getodk/central#1001

What has been done to verify that this works as intended?

All tests are passing.

Some tests are updated to reflect the correct requirement.

Why is this the best possible solution? Were any other approaches considered?

It is necessary to distinguish between 401 and 403, previously we were relying on resources to perform authorization even when authentication failed.

How does this change affect users? Describe intentional changes to behavior and behavior that could have accidentally been affected by code changes. In other words, what are the regression risks?

This PR shouldn't be merged until corresponding frontend changes are ready. There are some places where frontend code expects 403, that needs to be updated.

Does this change require updates to the API documentation? If so, please update docs/api.yaml as part of this PR.

No

Before submitting this PR, please make sure you have:

• run make test and confirmed all checks still pass OR confirm CircleCI build passes
• verified that any code from external sources are properly credited in comments or that everything is internally sourced

[alxndrsn]

This endpoint does not currently require authentication. How does that expectation changing relate to 401 vs 403 errors?

[matthew-white]

Those two changes (more 401 errors + requiring auth for /v1/roles) both touch on the theme of anonymity. However, I agree that they're also conceptually distinct. If it's easy to pull the two changes apart, that'd make this PR a little smaller, which sounds nice. I'm also OK with reviewing both changes as part of this PR. I like the idea of having the /v1/roles endpoints check auth.

[alxndrsn]

Where is an "empty" session now handled?

[matthew-white]

I think the callback passed to authBySessionToken() handles that case.

[alxndrsn]

Suggested change

	const preprocessors = [ queryOptionsHandler, userAgentHandler ];
	const commonPreprocessors = [ queryOptionsHandler, userAgentHandler ];

[alxndrsn]

Would this code be more intuitive if the endpoint implementation was passed in rather than being derived from path?

e.g.

const openRosaSubmission = (endpoint, path, draft, getForm) => {

or

const openRosaSubmission = (path, { isDraft, requiresAuth }, getForm) => {

[matthew-white]

I like the idea of making this an explicit argument (either of the suggestions above). 👍

[alxndrsn]

It's not obvious how this change is related to 401 responses; any pointers?

[alxndrsn]

Would there be value in a corresponding test case for authenticated users who are unauthorised?

[matthew-white]

Similar question from me. I'd expect every endpoint that calls auth.canOrReject() to have a test asserting a 403. This test now never reaches the actual endpoint logic: it's just being stopped by the preprocessor, which we test elsewhere.

[alxndrsn]

From https://www.rfc-editor.org/rfc/rfc9110#status.401:

The server generating a 401 response MUST send a WWW-Authenticate header field (Section 11.6.1) containing at least one challenge applicable to the target resource.

Is this relevant, and if so is it covered by this PR?

[alxndrsn]

Does this change require updates to the API documentation? If so, please update docs/api.yaml as part of this PR.

No

Checking one endpoint at random, it looks like some API docs might need updates:

central-backend/docs/api.yaml

Lines 1965 to 1970 in 889d208

	403:
	description: Forbidden
	content:
	application/json:
	schema:
	$ref: '#/components/schemas/Error403'

[matthew-white]

The server generating a 401 response MUST send a WWW-Authenticate header field …

Is this relevant, and if so is it covered by this PR?

I don't think we ever send that header, so I don't think this PR needs to do so. How about we continue discussing that header in #851?

[matthew-white]

For the GET /users endpoint, could you remove the auth.isAuthenticated check? Since the endpoint uses endpoint, we can be sure that it's authenticated.

[matthew-white]

Or maybe it's a nice safeguard? It sort of feels redundant to me now.

[matthew-white]

endpointByInvalidateQuery and endpointByTestPath above make me think that if/when we update endpoint to accept an options object, we should make the anonymous option take a callback.

Maybe it'd be reasonable to do something like that now? What if anonymousEndpoint accepted a function returning true/false, and then anonymousEndpoint either called authHandler or not based on the result? We could even make the function required, since Ramda F would be easy to pass in.

Just a thought, I'm also happy with the approach here. 👍

[matthew-white]

Doesn't need to change, but just FYI, you can pass an array to service.login():

service.login(['alice', 'bob'], (asAlice, asBob) =>

[matthew-white]

I feel like this test is looking at nonexistence, not lack of authentication. I think the test should have Alice send the request, then assert that it's a 403. This endpoint is unusual in that it returns a 403 in the nonexistence case instead of a 404.

[matthew-white]

This cookie looks unusual, shouldn't it be = instead of :?

[matthew-white]

This is probably on your radar already, but the change from 404 to 401 will require a change to restoreSession() in Frontend.

[matthew-white]

Maybe we can remove the part of the test description about "for non-GET requests". We will now fail even GET requests.

[matthew-white]

The approach that's being taken here seems like a good one to me. I left some questions/thoughts above, but I think this will be a nice change for Central.